suricata
app-layer-detect-proto.h File Reference
#include "flow.h"
#include "app-layer-protos.h"
Include dependency graph for app-layer-detect-proto.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs

typedef struct AppLayerProtoDetectThreadCtx_ AppLayerProtoDetectThreadCtx
 
typedef AppProto(* ProbingParserFPtr) (Flow *f, uint8_t flags, const uint8_t *input, uint32_t input_len, uint8_t *rdir)
 

Functions

AppProto AppLayerProtoDetectGetProto (AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
 Returns the app layer protocol given a buffer. More...
 
int AppLayerProtoDetectPrepareState (void)
 Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered. More...
 
void AppLayerProtoDetectPPRegister (uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2)
 register parser at a port More...
 
int AppLayerProtoDetectPPParseConfPorts (const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
 
int AppLayerProtoDetectPMRegisterPatternCS (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
 Registers a case-sensitive pattern for protocol detection. More...
 
int AppLayerProtoDetectPMRegisterPatternCSwPP (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction, ProbingParserFPtr PPFunc, uint16_t pp_min_depth, uint16_t pp_max_depth)
 
int AppLayerProtoDetectPMRegisterPatternCI (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
 Registers a case-insensitive pattern for protocol detection. More...
 
int AppLayerProtoDetectSetup (void)
 The first function to be called. This initializes a global protocol detection context. More...
 
void AppLayerProtoDetectReset (Flow *)
 Reset proto detect for flow. More...
 
bool AppLayerRequestProtocolChange (Flow *f, uint16_t dp, AppProto expect_proto)
 request applayer to wrap up this protocol and rerun protocol detection. More...
 
bool AppLayerRequestProtocolTLSUpgrade (Flow *f)
 request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS. More...
 
void AppLayerForceProtocolChange (Flow *f, AppProto new_proto)
 Forces a flow app-layer protocol change. Happens for instance when a HTTP2 flow is seen as DOH2. More...
 
int AppLayerProtoDetectDeSetup (void)
 Cleans up the app layer protocol detection phase. More...
 
void AppLayerProtoDetectRegisterProtocol (AppProto alproto, const char *alproto_name)
 Registers a protocol for protocol detection phase. More...
 
void AppLayerProtoDetectRegisterAlias (const char *proto_name, const char *proto_alias)
 
int AppLayerProtoDetectConfProtoDetectionEnabled (const char *ipproto, const char *alproto)
 Given a protocol name, checks if proto detection is enabled in the conf file. More...
 
int AppLayerProtoDetectConfProtoDetectionEnabledDefault (const char *ipproto, const char *alproto, bool default_enabled)
 Given a protocol name, checks if proto detection is enabled in the conf file. More...
 
AppLayerProtoDetectThreadCtxAppLayerProtoDetectGetCtxThread (void)
 Inits and returns an app layer protocol detection thread context. More...
 
void AppLayerProtoDetectDestroyCtxThread (AppLayerProtoDetectThreadCtx *tctx)
 Destroys the app layer protocol detection thread context. More...
 
void AppLayerProtoDetectSupportedIpprotos (AppProto alproto, uint8_t *ipprotos)
 
AppProto AppLayerProtoDetectGetProtoByName (const char *alproto_name)
 
const char * AppLayerProtoDetectGetProtoName (AppProto alproto)
 
void AppLayerProtoDetectSupportedAppProtocols (AppProto *alprotos)
 
void AppLayerRegisterExpectationProto (uint8_t proto, AppProto alproto)
 
void AppLayerProtoDetectUnittestCtxBackup (void)
 Backs up the internal context used by the app layer proto detection module. More...
 
void AppLayerProtoDetectUnittestCtxRestore (void)
 Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup(). More...
 
void AppLayerProtoDetectUnittestsRegister (void)
 Register unittests for app layer proto detection module. More...
 

Detailed Description

Typedef Documentation

◆ AppLayerProtoDetectThreadCtx

◆ ProbingParserFPtr

typedef AppProto(* ProbingParserFPtr) (Flow *f, uint8_t flags, const uint8_t *input, uint32_t input_len, uint8_t *rdir)

Definition at line 33 of file app-layer-detect-proto.h.

Function Documentation

◆ AppLayerForceProtocolChange()

void AppLayerForceProtocolChange ( Flow f,
AppProto  new_proto 
)

Forces a flow app-layer protocol change. Happens for instance when a HTTP2 flow is seen as DOH2.

Parameters
fflow to act on
new_protonew app-layer protocol

Definition at line 1853 of file app-layer-detect-proto.c.

References Flow_::alproto, Flow_::alproto_orig, Flow_::alproto_tc, and Flow_::alproto_ts.

◆ AppLayerProtoDetectConfProtoDetectionEnabled()

int AppLayerProtoDetectConfProtoDetectionEnabled ( const char *  ipproto,
const char *  alproto 
)

Given a protocol name, checks if proto detection is enabled in the conf file.

Parameters
alprotoName of the app layer protocol.
Return values
1If enabled.
0If disabled.

Definition at line 1952 of file app-layer-detect-proto.c.

References AppLayerProtoDetectConfProtoDetectionEnabledDefault().

Referenced by HTPFreeConfig(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterIMAPParsers(), RegisterNFSTCPParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), and RegisterTFTPParsers().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ AppLayerProtoDetectConfProtoDetectionEnabledDefault()

int AppLayerProtoDetectConfProtoDetectionEnabledDefault ( const char *  ipproto,
const char *  alproto,
bool  default_enabled 
)

Given a protocol name, checks if proto detection is enabled in the conf file.

Parameters
alprotoName of the app layer protocol.
default_enabledenable by default if not in the configuration file
Return values
1If enabled.
0If disabled.

Definition at line 1882 of file app-layer-detect-proto.c.

References BUG_ON, ConfGetNode(), ConfValIsFalse(), ConfValIsTrue(), FatalError, RunmodeIsUnittests(), SCEnter, SCLogDebug, SCLogError, SCReturnInt, and ConfNode_::val.

Referenced by AppLayerProtoDetectConfProtoDetectionEnabled(), RegisterDNP3Parsers(), and RegisterHTTP2Parsers().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ AppLayerProtoDetectDeSetup()

int AppLayerProtoDetectDeSetup ( void  )

Cleans up the app layer protocol detection phase.

Todo:
incomplete. Need more work.

Definition at line 1729 of file app-layer-detect-proto.c.

References FLOW_PROTO_DEFAULT, PatIntId, and SCEnter.

Referenced by AppLayerDeSetup().

Here is the caller graph for this function:

◆ AppLayerProtoDetectDestroyCtxThread()

void AppLayerProtoDetectDestroyCtxThread ( AppLayerProtoDetectThreadCtx tctx)

Destroys the app layer protocol detection thread context.

Parameters
tctxPointer to the app layer protocol detection thread context.

Definition at line 2010 of file app-layer-detect-proto.c.

References FLOW_PROTO_DEFAULT, and SCEnter.

Referenced by AppLayerDestroyCtxThread().

Here is the caller graph for this function:

◆ AppLayerProtoDetectGetCtxThread()

AppLayerProtoDetectThreadCtx* AppLayerProtoDetectGetCtxThread ( void  )

Inits and returns an app layer protocol detection thread context.

Parameters
ctxPointer to the app layer protocol detection context.
Return values
Pointerto the thread context, on success; NULL, on failure.

Definition at line 1957 of file app-layer-detect-proto.c.

References alpd_tctx, FLOW_PROTO_DEFAULT, PatIntId, and SCEnter.

Referenced by AppLayerGetCtxThread(), and LLVMFuzzerTestOneInput().

Here is the caller graph for this function:

◆ AppLayerProtoDetectGetProto()

AppProto AppLayerProtoDetectGetProto ( AppLayerProtoDetectThreadCtx tctx,
Flow f,
const uint8_t *  buf,
uint32_t  buflen,
uint8_t  ipproto,
uint8_t  flags,
bool *  reverse_flow 
)

Returns the app layer protocol given a buffer.

Parameters
tctxPointer to the app layer protocol detection thread context.
fPointer to the flow.
bufThe buffer to be inspected.
buflenThe length of the above buffer.
ipprotoThe ip protocol.
flagsThe direction bitfield - STREAM_TOSERVER/STREAM_TOCLIENT.
[out]reverse_flowtrue if flow is detected to be reversed
Return values
Theapp layer protocol.

Definition at line 1396 of file app-layer-detect-proto.c.

References ALPROTO_MAX, ALPROTO_UNKNOWN, flags, FLOW_IS_PM_DONE, SCEnter, and SCLogDebug.

Referenced by AppLayerHandleUdp(), and LLVMFuzzerTestOneInput().

Here is the caller graph for this function:

◆ AppLayerProtoDetectGetProtoByName()

AppProto AppLayerProtoDetectGetProtoByName ( const char *  alproto_name)

Definition at line 2056 of file app-layer-detect-proto.c.

References SCEnter.

Referenced by AppLayerGetProtoByName().

Here is the caller graph for this function:

◆ AppLayerProtoDetectGetProtoName()

const char* AppLayerProtoDetectGetProtoName ( AppProto  alproto)

Definition at line 2081 of file app-layer-detect-proto.c.

References ALPROTO_HTTP.

Referenced by AppLayerGetProtoName().

Here is the caller graph for this function:

◆ AppLayerProtoDetectPMRegisterPatternCI()

int AppLayerProtoDetectPMRegisterPatternCI ( uint8_t  ipproto,
AppProto  alproto,
const char *  pattern,
uint16_t  depth,
uint16_t  offset,
uint8_t  direction 
)

Registers a case-insensitive pattern for protocol detection.

Definition at line 1684 of file app-layer-detect-proto.c.

References SCEnter.

◆ AppLayerProtoDetectPMRegisterPatternCS()

int AppLayerProtoDetectPMRegisterPatternCS ( uint8_t  ipproto,
AppProto  alproto,
const char *  pattern,
uint16_t  depth,
uint16_t  offset,
uint8_t  direction 
)

Registers a case-sensitive pattern for protocol detection.

Definition at line 1657 of file app-layer-detect-proto.c.

References SCEnter.

◆ AppLayerProtoDetectPMRegisterPatternCSwPP()

int AppLayerProtoDetectPMRegisterPatternCSwPP ( uint8_t  ipproto,
AppProto  alproto,
const char *  pattern,
uint16_t  depth,
uint16_t  offset,
uint8_t  direction,
ProbingParserFPtr  PPFunc,
uint16_t  pp_min_depth,
uint16_t  pp_max_depth 
)

Definition at line 1670 of file app-layer-detect-proto.c.

References SCEnter.

◆ AppLayerProtoDetectPPParseConfPorts()

int AppLayerProtoDetectPPParseConfPorts ( const char *  ipproto_name,
uint8_t  ipproto,
const char *  alproto_name,
AppProto  alproto,
uint16_t  min_depth,
uint16_t  max_depth,
ProbingParserFPtr  ProbingParserTs,
ProbingParserFPtr  ProbingParserTc 
)
Return values
bool0 if no config was found, 1 if config was found

Definition at line 1583 of file app-layer-detect-proto.c.

References AppLayerProtoDetectPPRegister(), ConfGetNode(), ConfNodeLookupChild(), FatalError, SCEnter, SCLogDebug, SCReturnInt, and ConfNode_::val.

Here is the call graph for this function:

◆ AppLayerProtoDetectPPRegister()

void AppLayerProtoDetectPPRegister ( uint8_t  ipproto,
const char *  portstr,
AppProto  alproto,
uint16_t  min_depth,
uint16_t  max_depth,
uint8_t  direction,
ProbingParserFPtr  ProbingParser1,
ProbingParserFPtr  ProbingParser2 
)

register parser at a port

Parameters
directionSTREAM_TOSERVER or STREAM_TOCLIENT for dp or sp

Definition at line 1543 of file app-layer-detect-proto.c.

References head, and SCEnter.

Referenced by AppLayerProtoDetectPPParseConfPorts(), RegisterDNP3Parsers(), and RegisterTFTPParsers().

Here is the caller graph for this function:

◆ AppLayerProtoDetectPrepareState()

int AppLayerProtoDetectPrepareState ( void  )

Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered.

Definition at line 1499 of file app-layer-detect-proto.c.

References FLOW_PROTO_DEFAULT, and SCEnter.

Referenced by AppLayerSetup().

Here is the caller graph for this function:

◆ AppLayerProtoDetectRegisterAlias()

void AppLayerProtoDetectRegisterAlias ( const char *  proto_name,
const char *  proto_alias 
)

◆ AppLayerProtoDetectRegisterProtocol()

void AppLayerProtoDetectRegisterProtocol ( AppProto  alproto,
const char *  alproto_name 
)

Registers a protocol for protocol detection phase.

   This is the first function to be called after calling the
   setup function, AppLayerProtoDetectSetup(), before calling any other
   app layer functions, AppLayerParser or AppLayerProtoDetect, alike.
   With this function you are associating/registering a string
   that can be used by users to write rules, i.e.
   you register the http protocol for protocol detection using
   AppLayerProtoDetectRegisterProtocol(ctx, ALPROTO_HTTP1, "http"),
   following which you can write rules like -
   alert http any any -> any any (sid:1;)
   which basically matches on the HTTP protocol.
Parameters
alprotoThe protocol.
alproto_strThe string to associate with the above "alproto". Please send a static string that won't be destroyed post making this call, since this function won't create a copy of the received argument.
Return values
0On success; -1 On failure.

Definition at line 1761 of file app-layer-detect-proto.c.

References SCEnter.

Referenced by RegisterDNP3Parsers(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterHTTP2Parsers(), RegisterIMAPParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), and RegisterTFTPParsers().

Here is the caller graph for this function:

◆ AppLayerProtoDetectReset()

void AppLayerProtoDetectReset ( Flow )

◆ AppLayerProtoDetectSetup()

int AppLayerProtoDetectSetup ( void  )

The first function to be called. This initializes a global protocol detection context.

Return values
0On success;
-1On failure.

Definition at line 1699 of file app-layer-detect-proto.c.

References SCEnter.

Referenced by AppLayerSetup(), and LLVMFuzzerTestOneInput().

Here is the caller graph for this function:

◆ AppLayerProtoDetectSupportedAppProtocols()

void AppLayerProtoDetectSupportedAppProtocols ( AppProto alprotos)

Definition at line 2098 of file app-layer-detect-proto.c.

References ALPROTO_MAX, and SCEnter.

Referenced by AppLayerListSupportedProtocols(), and AppLayerRegisterThreadCounters().

Here is the caller graph for this function:

◆ AppLayerProtoDetectSupportedIpprotos()

void AppLayerProtoDetectSupportedIpprotos ( AppProto  alproto,
uint8_t *  ipprotos 
)

Definition at line 2036 of file app-layer-detect-proto.c.

References ALPROTO_DOH2, ALPROTO_HTTP, ALPROTO_HTTP1, ALPROTO_HTTP2, AppLayerProtoDetectSupportedIpprotos(), and SCEnter.

Referenced by AppLayerProtoDetectSupportedIpprotos().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ AppLayerProtoDetectUnittestCtxBackup()

void AppLayerProtoDetectUnittestCtxBackup ( void  )

Backs up the internal context used by the app layer proto detection module.

Definition at line 2146 of file app-layer-detect-proto.c.

References SCEnter.

◆ AppLayerProtoDetectUnittestCtxRestore()

void AppLayerProtoDetectUnittestCtxRestore ( void  )

Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup().

Definition at line 2154 of file app-layer-detect-proto.c.

References SCEnter.

◆ AppLayerProtoDetectUnittestsRegister()

void AppLayerProtoDetectUnittestsRegister ( void  )

Register unittests for app layer proto detection module.

Definition at line 3649 of file app-layer-detect-proto.c.

References SCEnter, and UtRegisterTest().

Here is the call graph for this function:

◆ AppLayerRegisterExpectationProto()

void AppLayerRegisterExpectationProto ( uint8_t  proto,
AppProto  alproto 
)

Definition at line 2127 of file app-layer-detect-proto.c.

References expectation_proto, proto, and SCLogError.

◆ AppLayerRequestProtocolChange()

bool AppLayerRequestProtocolChange ( Flow f,
uint16_t  dp,
AppProto  expect_proto 
)

request applayer to wrap up this protocol and rerun protocol detection.

When this is called, the old session is reset unconditionally. A 'detect/log' flush packet is generated for both direction before the reset, so allow for final detection and logging.

Parameters
fflow to act on
dpdestination port to use in protocol detection. Set to 443 for start tls, set to the HTTP uri port for CONNECT and set to 0 to not use it.
expect_protoexpected protocol. AppLayer event will be set if detected protocol differs from this.

Definition at line 1811 of file app-layer-detect-proto.c.

References Flow_::alproto, Flow_::alproto_expect, Flow_::alproto_orig, Flow_::alproto_tc, Flow_::alproto_ts, ALPROTO_UNKNOWN, DEBUG_VALIDATE_BUG_ON, FlowChangeProto(), FlowSetChangeProtoFlag(), and Flow_::protodetect_dp.

Referenced by AppLayerRequestProtocolTLSUpgrade().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ AppLayerRequestProtocolTLSUpgrade()

bool AppLayerRequestProtocolTLSUpgrade ( Flow f)

request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS.

Sets detection port to 443 to make port based TLS detection work for SMTP, FTP etc as well.

Parameters
fflow to act on

Definition at line 1842 of file app-layer-detect-proto.c.

References ALPROTO_TLS, and AppLayerRequestProtocolChange().

Here is the call graph for this function: